stalwart

v0.16.7 Feature

This release adds 2 notable features for engineering teams evaluating rollout.

Published 5d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

caldav carddav imap jmap mail pop3

+4 more

rust server smtp webdav

Affected surfaces

auth rbac

Summary

AI summary

Updates MTA, https://github.com/stalwartlabs/stalwart/blob/main/UPGRADING/v0_16.md, and https://datatracker.ietf.org/doc/html/draft-ietf-httpapi-ratelimit-headers-10 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Feature	Low	Adds RateLimit header fields for HTTP Adds RateLimit header fields for HTTP Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Adds `spamtest` command in trusted Sieve scripts for MTA Adds `spamtest` command in trusted Sieve scripts for MTA Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix
Bugfix	Medium	Logs rejected messages to tracing store Logs rejected messages to tracing store Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Always updates next DSN notify times in MTA Always updates next DSN notify times in MTA Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Expands lists and resolves catch‑all addresses when building autogenerated messages in MTA Expands lists and resolves catch‑all addresses when building autogenerated messages in MTA Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Includes resources with direct ACL grant that are leaves in Sharing Includes resources with direct ACL grant that are leaves in Sharing Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Prevents deletion of tasks in OSS builds Prevents deletion of tasks in OSS builds Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Corrects per‑domain external directory resolution failures in Directory component Corrects per‑domain external directory resolution failures in Directory component Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Keeps external `TXT` records when updating RRSet in DNS updater Keeps external `TXT` records when updating RRSet in DNS updater Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Rejects requests from blocked IPs even when `Keep-Alive` is enabled in HTTP server Rejects requests from blocked IPs even when `Keep-Alive` is enabled in HTTP server Source: llm_adapter@2026-05-29 Confidence: high	—

Full changelog

[0.16.7] - 2026-05-28

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

RateLimit header fields for HTTP (draft-ietf-httpapi-ratelimit-headers-10)
MTA: Implement spamtest in trusted Sieve scripts.

Changed

Fixed

Log rejected messages to tracing store.
MTA:
- Always update next DSN notify times.
- Expand lists and resolve catch-all addresses when building autogenerated messages.
Sharing: Includes resource that themselves carry a direct ACL grant and are leaves.
Tasks cannot be deleted in OSS builds.
Directory: Per-domain external directory resolution fails.
DNS updater: Keep external TXT records when updating RRSet.
HTTP: Reject requests from blocked IPs when Keep-Alive is enabled.

Check binary attestation here

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track stalwart

Get notified when new releases ship.

About stalwart

All-in-one Mail & Collaboration server. Secure, scalable and fluent in every protocol (IMAP, JMAP, SMTP, CalDAV, CardDAV, WebDAV).

All releases →